doj

The Department of Justice (DOJ) said on Thursday that it is charging a North Korean programmer for his involvement in a conspiracy to conduct multiple destructive cyberattacks around the world resulting in damage to massive amounts of computer hardware, and the extensive loss of data, money and other resources.

The complaint alleges that the programmer,  Park Jin Hyok, was a member of a government-sponsored hacking team known to the private sector as the “Lazarus Group,” and worked for a North Korean government front company, Chosun Expo Joint Venture (a/k/a Korea Expo Joint Venture or “KEJV”), to support the DPRK government’s malicious cyber actions.

Malicious activities by Hyok and his group  include the creation of the malware used in the 2017 WannaCry 2.0 global ransomware attack; the 2016 theft of $81 million from Bangladesh Bank; the 2014 attack on Sony Pictures Entertainment (SPE); and numerous other attacks or intrusions on the entertainment, financial services, defense, technology, and virtual currency industries, academia, and electric utilities.

In addition to these criminal charges, Treasury Secretary Steven Mnuchin announced today that the Department of the Treasury’s Office of Foreign Assets Control (OFAC) designated Hyok and KEJV under Executive Order 13722 based on the malicious cyber and cyber-enabled activity outlined in the criminal complaint.

“Today’s announcement demonstrates the FBI’s unceasing commitment to unmasking and stopping the malicious actors and countries behind the world’s cyberattacks,” said FBI Director Christopher Wray.

“We stand with our partners to name the North Korean government as the force behind this destructive global cyber campaign.  This group’s actions are particularly egregious as they targeted public and private industries worldwide – stealing millions of dollars, threatening to suppress free speech, and crippling hospital systems,” he added.

“The scale and scope of the cyber-crimes alleged by the Complaint is staggering and offensive to all who respect the rule of law and the cyber norms accepted by responsible nations,” said Assistant Attorney General Demers.

“The Complaint alleges that the North Korean government, through a state-sponsored group, robbed a central bank and citizens of other nations, retaliated against free speech in order to chill it half a world away, and created disruptive malware that indiscriminately affected victims in more than 150 other countries, causing hundreds of millions, if not billions, of dollars’ worth of damage.”

According to the allegations contained in the criminal complaint, which was filed on June 8, 2018 in Los Angeles federal court, and posted today:  Park Jin Hyok, was a computer programmer who worked for over a decade for Chosun Expo Joint Venture (a/k/a Korea Expo Joint Venture or “KEJV”).

Chosun Expo Joint Venture had offices in China and the DPRK, and is affiliated with Lab 110, a component of DPRK military intelligence.  In addition to the programming done by Park and his group for paying clients around the world, the Conspiracy also engaged in malicious cyber activities.  Security researchers that have independently investigated these activities referred to this hacking team as the “Lazarus Group.”

The Conspiracy’s methods included spear-phishing campaigns, destructive malware attacks, exfiltration of data, theft of funds from bank accounts, ransomware extortion, and propagating “worm” viruses to create botnets.

In 2016 and 2017, Hyok and group allegedly targeted a number of U.S. defense contractors, including Lockheed Martin, with spear-phishing emails. These malicious emails used some of the same aliases and accounts seen in the SPE attack, at times accessed from North Korean IP addresses, and contained malware with the same distinct data table found in the malware used against SPE and certain banks, the complaint alleges.

The maximum potential sentences in this case are prescribed by Congress. The House on Wednesday passed legislation that would name and sanction hackers who help execute nation-state-sponsored cyberattacks.